Imagine a camera on Main Street that can instantly pull up your name, criminal record, and credit score as you pass by. That reality is no longer fiction in North Dakota, but the legality of such facial‑recognition technology (FRT) hinges on a new statutory framework that took effect in 2026. As of today, FRT is legal for both public and private use, but it is now subject to strict notice, consent, and warrant requirements that did not exist a few years ago.
Current Legal Status of Facial Recognition in North Dakota
Before 2026, North Dakota had no comprehensive biometric privacy law. State courts treated FRT as a surveillance tool governed by general privacy and due‑process doctrines, allowing law‑enforcement agencies to deploy it without a warrant when linked to an ongoing investigation (see State v. Nelson, 2022). Private companies could install cameras and use third‑party analytics without explicit statutory constraints, relying only on contract law and the limited provisions of the North Dakota Uniform Deceptive Trade Practices Act. Consequently, a patchwork of municipal ordinances and agency policies filled the regulatory gap, creating uncertainty for businesses and citizens alike.
What Changed in 2026 – The Biometric Surveillance Act
In April 2026, the North Dakota Legislature enacted the Biometric Surveillance Act (BSA), codified at §§ 12.1‑12.9. Key provisions include:
- Government Use: Any state or local agency must obtain a judicial warrant before using FRT to identify a specific individual, unless the situation falls under an established emergency exception.
- Private Use: Companies must provide clear, written notice at the point of data capture and obtain opt‑in consent from individuals whose facial data will be stored or shared.
- Data Retention: Collected facial templates may be retained for no more than 90 days unless a separate retention schedule is approved by the State Privacy Commission.
- Accountability: Agencies and businesses must submit annual compliance reports, and violations are subject to civil penalties of up to $10,000 per incident.
The BSA was spurred by a 2025 data‑breach involving a regional health system whose facial‑recognition database was exposed, prompting public outcry and bipartisan action (North Dakota Legislative Research Council, 2025).
Practical Impact on Law Enforcement and Private Entities
Law‑enforcement agencies now integrate FRT into a “warrant‑first” workflow. Officers submit an affidavit outlining the specific suspect, location, and time frame; a judge reviews the request, and if approved, the system can run a live‑feed match. The emergency exception permits real‑time use during active threats, but agencies must log the incident within 24 hours.
Private businesses, from retail chains to universities, must redesign sign‑age to include a bold notice: “Facial‑recognition technology is in use. By entering, you consent to biometric data collection.” Platforms that rely on passive collection without consent must disable the feature or risk enforcement action. Many companies have adopted edge‑processing solutions that delete raw images after generating an anonymized match score, thereby limiting data exposure.
Compliance Checklist for Businesses
- Conduct a biometric data audit to identify all FRT systems in use.
- Update privacy policies to reflect BSA notice and opt‑in language.
- Implement a consent management portal that logs each individual’s agreement and withdrawal.
- Configure systems to automatically purge facial templates after 90 days.
- Prepare annual reports for the State Privacy Commission, documenting data flows, security measures, and any breach incidents.
Adhering to these steps not only avoids penalties but also builds consumer trust in a market where biometric privacy is increasingly salient.
Frequently Asked Questions
Is a warrant always required for police to use facial recognition?
A warrant is required unless an emergency exception applies, such as an active shooter or imminent threat. The warrant must specify the target, location, and time frame, and must be issued by a neutral magistrate.
Can a private business use facial recognition without obtaining consent?
No. The BSA mandates explicit opt‑in consent for any storage or sharing of facial templates. Passive observation without data retention may be permissible, but best practice is to provide notice and allow individuals to decline.
What happens if a company exceeds the 90‑day retention limit?
Exceeding the statutory retention period subjects the company to civil penalties of up to $10,000 per violation, and may trigger an investigation by the State Privacy Commission.
Are there any exemptions for schools or universities?
Educational institutions are treated as private entities under the BSA and must follow the same notice‑and‑consent rules. However, they may qualify for a limited exemption when using FRT solely for campus security and the system is integrated with a warrant‑based protocol.
How does the BSA affect existing biometric data collected before 2026?
Organizations must retroactively obtain consent for any pre‑2026 facial data that remains in their systems, or delete the data outright. Failure to do so is treated as a continuing violation.